SAMBA authenticaten Windowa Activy Directory [paprastas @ 2009-11-26 22:03:18]

Tema: SAMBA authenticaten Windowa Activy Directory
Autorius: paprastas
Data: 2009-11-26 22:03:18
krb5.conf



[libdefaults]

                             ticket_lifetime = 24000

                             default_realm = XXX.LOCAL

                             default_tgs_enctypes = des3-hmac-sha1

                             default_tkt_enctypes = des3-hmac-sha1

[realms]

                             XXX.LOCAL = {

                                                         kdc = 
XXX01.xxx.local

                                                         admin_server = 
XXX01.xxx.local

                                                         default_domain = 
XXX.LOCAL

                             }

[domain_realm]

                             .xxx.local = XXX.LOCAL

                             xxx.local = XXX.LOCAL

[login]

                             krb4_convert = true

                             krb4_get_tickets = false







smn.cof



[global]

                             security = ads

                             realm = XXX.LOCAL

                             password server = XXX01.xxx.local

                             workgroup = XXX

                             idmap uid = 500-10000000

                             idmap gid = 500-10000000

                             winbind separator = +

                             winbind enum users = yes

                             winbind enum groups = yes

                             winbind use default domain = yes

                             template homedir = /home/%D/%U

                             template shell = /bin/bash

                             client use spnego = yes

                             domain master = no







Hosts

127.0.0.1           localhost

127.0.1.1           servas.xxx.local                         servas

192.168.xx.01 XXX01.xxx.local                          XXX01





nsswitch.conf



passwd:         compat winbind

group:               compat winbind

shadow:         compat



hosts:          files dns wins winbind

networks:       files



protocols:      db files

services:       db files

ethers:         db files

rpc:            db files



netgroup:        nis









resolv.conf

domain xxx.local

search xxx.local

nameserver 192.168.xx.01





 kinit Administrator - gerai





net ads testjoin - gerai





net ads join -U Adminitrator@xxx.local - kartais meta klaida, o kartais ne, 
kodel?









 libads/kerberos.c:ads_kinit_passwords(356)





kerberos kinit_password SERVAS@XXX.LOCAL failed: Preauthentication failed









o jeigu ads net join -U V.Pavarde@XXX.LOCAL - failed to set password for 
machine account (NT_STATUS-ACCESS_DENIED)











wbinfo - u ir wbinfo -g rodo tiek userius tiek grupes Windows AD





Esme tokia, jog norisi sukonfiguruoti SAMBA ir sukurti joje katologa, kur 
kiekvienas vartotojas, kuris yra prisijunges prie windows AD domeno,



jungiantis prie sambos katalogo, ieitu i tam tikra kataloga, o i kito 
zmogaus kataloga negaletu ieiti, ta prasme autorizuotusi konkreciam 
katalogui



konkretus zmogus (na tai pvz. path = /home/shares/J.Jonaitis valid users 
XXX\J.Jonaitis i ta kataloga ieis tik J.Jonaitis, o i



path = /home/shares/P.Ponaitis valid users XXX\P.Ponaitis i ta kataloga ieis 
tik P.Ponaitis). Kas negerai gali buti konfiguose situose ar dar kazka as



praleidziu, siaip buvau pasileides, bet visi konfigai dingo del tam tikru 
priezasciu, kas galetu pasidalinti mintimis. aciu.